Probably would be better if you created another user with similar sudo privileges and allow them to ssh as root. Letting root ssh can be a bad idea On Mon, May 9, 2011 at 3:18 PM, Steven Buehler <steve@xxxxxxxxxxxx> wrote: > I am trying to setup our servers to only allow logins with a public/private > key pair. 2 of our machines have to have root login access with ssh and > the > rest, we will login as another account and su to root. I just started with > this company and on their boxes which range from version 5.1 to 5.5, if I > open up the firewall to allow ssh access from anywhere, I can ssh to root > without a password. The only uncommented lines in the /etc/ssh/sshd_config > are the following: > > > > Protocol 2 > > SyslogFacility AUTHPRIV > > PasswordAuthentication no > > ChallengeResponseAuthentication no > > GSSAPIAuthentication yes > > GSSAPICleanupCredentials yes > > UsePAM no > > PubkeyAuthentication yes > > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > > AcceptEnv LC_IDENTIFICATION LC_ALL > > GatewayPorts yes > > X11Forwarding yes > > Subsystem sftp /usr/libexec/openssh/sftp-server > > > > I'm hoping that someone can lead me in the right direction as I can't > figure > this one out. If this was only one machine, I would assume that it might > have been hacked, but this is all of their servers and VM's that will allow > me to ssh to them without a login/password and get into root. Luckily, > they > have always had their (supposedly anyway) iptables set to only allow access > from specific IP's. > > > > Thanks > > Steve > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- ------------------------------------------------------------------------------------------------------------------------------------- NOTICE: This message, including all attachments, is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering this message to its intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying "Received in error" and immediately delete this message and all its attachments. ------------------------------------------------------------------------------------------------------------------------------------- -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
